Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2835 Discussions

Intel EMA in Admin Control Mode. Issue with autosigned certificate from internal Server CA

xevi
Beginner
2,749 Views

Hi everybody, we are trying to work with EMA and ACM.

In Client Control Mode everything works fine between EMA server and clients.

We have create a certificate with our internal CA Server and this Certificate Provisionig(TLS-PKI) is correctly uploaded in EMA Server.

The problem is that there is no communication between clients and server.

We think that we must load our server CA on the clients manually.

Is there any way to make this with EMA Agent?

Or is there some other better method?

Is there documentation on this specific topìc?

Thanks in advance,

0 Kudos
16 Replies
Victor_G_Intel
Employee
2,726 Views

Hello xevi,


Thank you so much for contacting Intel customer support,


Before moving forward with your request please provide the information below:


  1. EMA version being used:
  2. AMT version(s) used:
  3. Are the endpoints landless systems?
  4. Is the EMA server installed on a physical server or a virtual machine?
  5. Are the endpoints in the same network as the EMA server?
  6. How many endpoints do you have in your deployment?
  7. Please share the OS being used on the EMA server.


Best regards,


Victor G.

Intel Technical Support Technician


0 Kudos
xevi
Beginner
2,719 Views

 Hello Victor, I answer your request:

 

Intel EMA v1.9.1.0
EMA Agent v1.9.0
Intel ME v16.1.25.1932
Windows Server 2022 21H2 physical server
Endpoints with Windows 11 22H2 and connected wired
At the moment 7 endpoint, but it will be many more
With Client Control Mode we can 'see' our computers CIRA connected in band, out band and also outside and inside our company.

 

Thank you,

 Xevi

0 Kudos
xevi
Beginner
2,706 Views

Sorry Victor,

Windows Server 2022 21H2 virtualized server

In case it's important

Thanks

0 Kudos
Victor_G_Intel
Employee
2,689 Views

Hello xevi,


Thank you for your response


Regarding your questions, most of the information you need to set up your endpoints correctly in ACM is in our Intel® Endpoint Management Assistant (Intel® EMA) Administration and Usage Guide.


Since your systems are not LAN-less what you need to do based on the instructions provided in our guide is to upload a PKI certificate, which will enable Intel EMA to set the endpoint’s Intel AMT into Admin Control Mode (ACM); however, there are a few considerations that you need to keep in mind, the certificate file needs to have the full certificate chain; additionally, it needs to be issued with the supported OID 2.16.840.1.113741.1.2.3 (this is the unique Intel AMT OID).


Another important thing to consider here is that starting with Intel ME 15.0 firmware for desktops, and Intel ME 16.0 firmware for all platforms, Intel is removing support of SHA1 root certificates and RSA key sizes smaller than 2048 bits for Intel AMT provisioning. In those releases and later, it is no longer possible to add SHA1 hashes; therefore, all your certs must be SHA256 based on the AMT version you are currently working with.


In regard to the options to do the provisioning in ACM, we recommend enabling the Intel® AMT Auto-Setup (section 3.6 page 27 of our guide).


Best regards,


Victor G.

Intel Technical Support Technician  


0 Kudos
xevi
Beginner
2,634 Views

 Hello Victor, we had already created the certificate with the OID 2.16.840.1.113741.1.2.3 and sha256.

We have followed the guide and AMT Auto-Setup is enabled.

As I explained to you, the certificate is correctly loaded on the server, but there is no communication with our clients.

 

'We think that we must load our server CA on the clients manually.'

 

Could you please help us?

Thanks in advance,

 Xevi

0 Kudos
JoseH_Intel
Moderator
2,614 Views

Hello xevi,


This looks like there are 2 separate issues here.

  1. Communication between EMA server - nodes
  2. Provisioning certificate to make the nodes Admin Control Mode

The connectivity issue might be related to your network environment. For testing purposes, you want to have the EMA server and the provisioned nodes within the same LAN. External LAN is possible by opening ports

The provisioning cert is only required for provisioning the nodes in Admin Control Mode (ACM). Without the cert the node will provision in Client Control Mode, but the communication should still exist.


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
xevi
Beginner
2,599 Views

 Hello Jose A., the first sentence of the post was:

 

'In Client Control Mode everything works fine between EMA server and clients.'

 

The issue is in ACM, and because our autosigned cert. No communication with endpoinds.

 

Could you please help us?

Thanks,

Xevi

0 Kudos
Victor_G_Intel
Employee
2,566 Views

Hello Xevi,



Thank you for your response.



To continue with the assistance and continue investigating on our end please provide the following:


  1. Can you please confirm if the certificate you are using is a self-sign certificate or if it is a certificate provided by a vendor?
  2. We will require some pictures of the certificate you are using with EMA, in specific we will require a screenshot showing the full enhanced key usage tab, the full certification path tab, and the OID. Additionally, you will have to make sure all the certificates found in the certificate path of the EMA certificate are SHA256.


Best regards,



Victor G.

Intel Technical Support Technician  


0 Kudos
xevi
Beginner
2,540 Views

 Hello Victor, I send you the pictures.

Capture_1.PNG

Capture_2.PNG

If you need something else, please ask me

Thank you,

 Xevi

0 Kudos
xevi
Beginner
2,540 Views

Hello, as you can see we are using a self-signed certificate.

Thanks,

Xevi

0 Kudos
Victor_G_Intel
Employee
2,517 Views

Hello xevi,

 

Thank you so much for your response,

 

The self-Certificate picture you sent only shows 2 lines on the chain. It should have 3 lines, each line needs to be SHA256.

 

In order to create a new certificate please follow the document called: Intel® Setup and Configuration Software (Intel® SCS) User Guide v12.2. You will need to follow sections 10.5, 10.5.1 only.

 

Note: Intel will release a newer document for self-certificate for EMA later.

 

Additionally, the installation of the PKI DNS suffix will have to be manually made on each endpoint, this need to be done this way when using a self-certificate. The BIOS of the endpoints only contains the certificate hash of validated OEM Certs.

 

All you need for the task ahead is in the links below:

 

How to Create a Self-Certificate Hash for Intel® Active Management Technology (Intel® AMT) Version 14 or Higher

 

https://www.intel.com/content/www/us/en/support/articles/000059996.html

 

Intel® AMT SDK

 

https://www.intel.com/content/www/us/en/download/704388/intel-amt-sdk.html?cache=1639697797

 

Intel® Setup and Configuration Software (Intel® SCS) User Guide v12.2

 

https://www.intel.com/content/dam/support/us/en/documents/software/Intel_SCS_User_Guide.pdf

 

As an example, the Certificate should be viewed as the one showed in the attached picture; however, please bear in mind this is an OEM cert.

 

 

Best regards,

 

Victor G.

Intel Technical Support Technician

 

0 Kudos
Victor_G_Intel
Employee
2,436 Views

Hello xevi,

 

Were you able to check the previous post?  

 

Please let me know if you need further assistance.  

 

Regards,

 

Victor G. 

Intel Technical Support Technician 

0 Kudos
xevi
Beginner
2,342 Views

Hello Victor_G,

I'm sorry I didn't reply earlier. My boss locked me in a cage and threw me peanuts.

 

The certificate is already created correctly. We had entered the PKI DNS sufix in the bios, we even tried to save the certificate hash (this has not been possible).

 

The certificate that you show with three lines, is from a certifying entity that is already available in all bios that have VPRO. We think ours has two lines because it is self-signed.

 

If you can provide us with more information, we would greatly appreciate it.

 

Thank you very much,

 Xevi

0 Kudos
MIGUEL_C_Intel
Employee
2,324 Views

Hello, Xevi,


The Self Certificate creation is tricky and takes some extra time. First, please follow the steps of the article:

How to Create a Self-Certificate Hash for Intel® Active Management Technology (Intel® AMT) Version 14 or Higher

https://www.intel.com/content/www/us/en/support/articles/000059996.html


In the first section, it will describe the Certificate creation, then it provides the tool to generate a SHA256 PKI DNS and copy it to the endpoint.


The USBFile.exe tool is included in the Intel® Active Management Technology SDK .zip file.


If you found issues while creating the Self Certificate, please send us screenshots of the errors.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
Victor_G_Intel
Employee
2,258 Views

Hello xevi,


Were you able to check the previous post?  


Please let me know if you need further assistance.  

 

Regards,


Victor G. 

Intel Technical Support Technician  


0 Kudos
Victor_G_Intel
Employee
2,187 Views

Hello xevi,


We have not heard back from you.


If you need any additional information, please submit a new question as this thread will no longer be monitored.


Regards,


Victor G.

Intel Technical Support Technician


0 Kudos
Reply